6 Answers
6

OSSEC is a full platform to monitor
and control your systems. It mixes
together all the aspects of HIDS
(host-based intrusion detection), log
monitoring and SIM/SIEM together in a
simple, powerful and open source
solution.

And for Log Monitoring/Alerting:

Real-time and Configurable Alerts

OSSEC lets customers configure
incidents they want to be alerted on
which lets them focus on raising the
priority of critical incidents over
the regular noise on any system.
Integration with smtp, sms and syslog
allows customers to be on top of
alerts by sending these on to e-mail
and handheld devices such as cell
phones and pagers.

[...]

Every operating system, application,
and device on your network generate
logs (events) to let you know what is
happening. OSSEC collects, analyzes
and correlates these logs to let you
know if something wrong is going on
(attack, misuse, errors, etc).

Be sure to substitute in your email recipient, sender, and SMTP server name.

You define the events you want to be alerted on with the "PushEventToMonitor" call. The arguments are: event ID, event log name, source, category, type, user, and a regular expression that can be matched against the log message. I have an example in there that matches the start / stop of the TELNET service, as well as one that will match the startup of the script itself (which logs an event out to the Application Log).

This is a first draft because the one that I wrote for a Customer that's actually "in production" was written on their dime and "belongs" to them. As such, I've re-coded this one (which is actually substantially different from the one used by the Customer) and it may well have stupid bugs lurking in it. I've run it for a little while tonight on some of my systems and I'm not seeing problems.

Maybe I'll eventually make this a little better. It would be nice if it pulled its configuration out of the registry (so it could be controlled with Group Policy) and if it was packaged as an MSI for easy deployment to groups of servers. Oh, well.

The latest build of GFI EventsManager™ has improved alert level for key events or intrusions that are detected on the network. GFI EventsManager allows you to trigger actions such as scripts or to send an alert to one or more people by email, network messages, SMS notifications sent through an email-to-SMS gateway or service and now includes SNMPv2 traps. The generation of SNMP alerts will also allow administrators to integrate GFI EventsManager with pre-existing or generic monitoring mechanisms.